Security Bulletin: IBM PowerVC is impacted by OpenStack Glance server-side request forgery (CVE-2017-7200)

Summary

IBM PowerVC may disclose some sensitive information while creating images with ‘copy_from’ feature in the v1 Image Service API.

Vulnerability Details

CVEID: CVE-2017-7200**
DESCRIPTION:** OpenStack Glance is vulnerable to server-side request forgery, caused by a flaw in the ‘copy_from’ feature in the Image Service API v1. By using a specially crafted URL, an attacker could exploit this vulnerability to create images and obtain sensitive information.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123533 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

Affected Products and Versions

PowerVC Standard Edition 1.3.1.x
PowerVC Standard Edition 1.3.2.x

Remediation/Fixes

For PowerVC 1.3.1, update to 1.3.1 fix pack 2 and then apply the IT21367_IT21368_IT21369 interim fix from Fix Central: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FPowerVC&fixids=1.3.1.2-PowerVC-RHEL-NOARCH-APAR-IT21367_IT21368_IT21369&source=dbluesearch
For PowerVC 1.3.2, update to 1.3.2 fix pack 1 and then apply the IT21368 interim fix from Fix Central: http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FPowerVC&fixids=Security-Fix-1.3.2.1-PowerVC-RHEL-NOARCH-APAR-IT21368&source=dbluesearch